Clearview AI sees red as UK tribunal sides with regulator over $10M GDPR fine (www.theregister.com)

The UK’s Upper Tribunal has sided with the Information Commissioner’s Office, overturning a 2023 First-tier Tribunal decision and ruling that Clearview AI’s mass scraping of UK residents’ photos falls within the territorial scope of the UK GDPR. The judgment clears the way for the ICO’s original £7.5m (about $10m) penalty issued in May 2022 to be reconsidered: the case will return to the FTT to determine whether Clearview actually breached the law and whether the fine should be imposed. Central to the UT’s decision was that Clearview’s processing amounted to behavior monitoring of UK residents under Article 3(2)(b), and that the Article 2(2)(a) law‑enforcement exclusion — which limits state-to-state interference — does not shield a commercial vendor selling services to foreign law-enforcement clients. For the AI/ML community this is a notable expansion of regulatory reach: the ruling signals that foreign companies that harvest publicly available images or build biometric/search databases can be regulated by UK data protection law when their processing targets UK people, even if services are sold to overseas law enforcement. Practically, it raises compliance and enforcement risk for firms training models on scraped personal data, reinforces scrutiny of biometric and face‑recognition pipelines, and underscores that national‑security arguments won’t automatically place such activity outside GDPR supervision. Clearview said it will appeal.